The nuances and complexities of mastering the current healthcare IT security environment took center stage during the first panel discussion of the day on Thursday, August 11, as the Health IT Summit in Nashville, sponsored by the Institute for Health Technology Transformation (iHT2—a sister organization to Healthcare Informatics under the Vendome Group, LLC corporate umbrella) got underway at the Sheraton Downtown Nashville, in Nashville, Tenn.
Following an opening keynote address by Steven J. Stack, M.D., an emergency physician from Lexington, Ky. And the immediate past chair of the American Medical Association, which focused on physicians’ frustrations with electronic health records (EHRs), a group of industry leaders turned to healthcare IT security, in a panel discussion entitled “Security & Data Protection: High Tech & High Touch,” which was chaired by Glenn Pearson, principal in the consulting firm Pearson Health Tech Insights, LLC.
Pearson was joined on the panel by Patricia A. (Patty) Lavely, senior vice president and CIO at Gwinnett Medical Center (Lawrenceville, Ga.); Edward (Ed) McKinney, information security officer at Floyd Medical Center (Rome, Ga.); and Roy Wyman, a partner in the Nashville law firm of Nelson Mullins Riley & Scarborough LLP. The panel covered a broad range of discussion areas.
Pearson began by asking discussants, “How high a priority is security for most organizations right now?”
McKinney referenced a recent survey conducted by the CIT Group. “The CIT Group did a survey of senior health executives,” he said, “and in their survey, it was 88 percent a concern. And 90 percent said in the boardroom, IT security was becoming a very common topic that they were having to address. The thing that worries me a bit,” he said, “is when it’s not in the news. Right now, the malware/ransomware is definitely getting everyone’s attention, but we’ve got to be thinking about what we’re doing. It can’t just be a trend of attention to ransomware,” but rather, he stressed, the leaders of patient care organizations need to continue to focus strongly on healthcare IT security for the foreseeable future.
“Are boards of directors getting interested now?” Pearson asked. “Yes,” said Wyman. “A board hired me as their chief privacy officer in my most recent past position. They told the CEO, you’re not doing enough” to focus on healthcare IT security, he recounted. As a result, he said, “They brought in a CISO, a chief privacy officer, and others. So yes, I think that boards are becoming more aware. And I think boards are seeing more liability [that they might face as a result of their participation in hospital and other patient care organizations]; and they’re saying, hey, this isn’t just something I can put on my resume, this is something I have to do well,” he said, citing the federal Sarbanes-Oxley legislation that puts liability on directors for actions of the organizations they help to govern.
“I love that you mentioned Sarbanes-Oxley and that connection,” Pearson said. And, turning to Lavely, he asked, “Patty, how has your situation evolved at Gwinnett?” “Interestingly, it has related to the board,” Lavely responded. “Our board has gotten more involved and taken more of an interest and more of a leadership role than they ever have. And our work seems to be driven by our board of directors. And that’s been true for us in the past three years. And I think our overall workforce is becoming more educated, partly because of our efforts, and partly because of the efforts of the news media.”
In fact, Lavely said, mainstream news media coverage of IT and data security has helped her and her team, “Particularly because more people are having their identities stolen; so that when you start talking about security at work, people can relate it back to their own lives.”
Turning to Wyman, Pearson said, “Roy, you’re probably in touch with lots of different organizations. On the flip side, do you quantify in any way how many boards are not aware? How widespread is not being involved?”
“I don’t know the percentages,” Wyman said. “But what I’m seeing is that in the larger organizations, boards are very much aware; it’s on the front burner. I get calls every week” for help with a lot of basic issues, he said. “I had a call yesterday from someone saying, we’re buying up physician practices. But they had no chief compliance officer, had no idea what policies to implement. Part of this is that the burden is so high that organizations just push it all off. They say, we’ll wait until we’re bigger. But the problem is that you’re seeing physician practices being hit with fines of up to $750,000, not because there’s been a breach, but because they don’t have business associate agreements signed, and for other technical issues. And that’s waking people up.”
“So the expansion of [regulatory mandates] is making people more aware?” Pearson asked. “Yes, organizations are realizing they don’t have all the security and privacy policies and practices in place that they need,” Wyman responded.
Balancing security and end-user access